Best Practices to Manage and Reduce Phishing Risk

This piece is part of our ‘Faculty Focus' series, an interview-style article where a member of the IANS Faculty shares firsthand, practitioner-based insights on an infosec topic. In this feature, Masha Sedova discusses the challenges around phishing programs and shares best practices for managing and helping your highest-risk employees become low-risk.

Phishing Q&A with IANS Faculty member, Masha Sedova

Masha Sedova is an award-winning cybersecurity expert, speaker, and trainer focused on helping companies transform their workforce from a security risk into a key element of cyberdefense. She is the co-founder and President of Elevate Security delivering a first-of-its-kind platform that enables organizations to identify risky employees, reduce the likelihood of future incidents, and proactively defend their workforce while ensuring a productive business. In 2021, Fast Company named her one of the most creative people in business. Masha has been a member of the board of directors for the National Cyber Security Alliance and a regular presenter at conferences such as Blackhat, RSA, OWASP, and SANS.

Phishing resilience is hard to measure, and most platforms focus on momentary measurement of a campaign in terms of employee success or failure. To more accurately gauge an organization’s ability to handle phishing attacks use metrics that demonstrate employee risk type changes over time and identify risk distribution.

What is the current state of most org’s phishing simulation programs? Are they successful in building phishing security awareness?

Masha: Running phishing simulations has been a best practice in security for the last 10 years. Today a typical phishing program will send out between 4-12 phishing emails a year to employees. Upon clicking a link, employees are directed to a training. A phishing button is often provided as a reporting vehicle for both simulated and actual phishing attacks.  More advanced options of these programs include:

• Segmenting the population to receive different templates or staggering send times
• Adjusting templates to regional languages
• Grading templates on difficulty levels
• Rewarding positive behaviors and awareness
• Escalating conversations with repeat offenders
• Terminating individuals with more than three clicking violations

As organizations come to the realization that click-through rates will never get to 0%, inevitably the question arises of ‘what is good enough?’.  Do organizations need more phishing tests or less? Have better training? Impose restrictions on ‘guilty’ individuals?

Ultimately, these are all the wrong questions because the problem we are trying to solve can’t be fixed with just simulated phishing.  Let’s remember the problem we are trying to solve: Reduce the number of user-generated phishing incidents that occur in our organizations. I can count on one hand the number of organizations that tracked phishing incidents reduction as a metric of simulated phishing programs.

In order to effectively tackle this problem, we need broader insights other than simulated phishing clicks. This includes insights into who is being targeted by attackers, who falls for actual phishing attacks, what compensating controls someone has, and finally how much ‘security common sense’ they have when it comes to phishing.

Repeated research studies have shown that employees will consistently fall into 3 types of phishing risk: high, medium and low - click rates based on the average times they click during simulated phishing tests.  

When considering risk it's not about the average employee click rate - - it's about the distribution of risk. What percentage of your employees are high risk? An effective program is all about managing and reducing the risk from your highest-risk employees.

How do security teams currently gather metrics on phishing risk distribution? How can they improve on this?

Masha: Common metrics for programs today boil down to two numbers: average click rate and average reporting rate for an organization. These are regularly updated as new phishing tests are rolled out with the hope that clicks will decrease to 0% and reporting rates will skyrocket.  

Occasionally, click rate metrics are expanded into greater detail to include factors such as percentage of employees who: submitted credentials, downloaded attachments, or are repeat offenders.

However, there are two gaps in these metrics that organizations should consider when measuring their programs.

• Benchmarking Tests:
• One common gap is the lack of graded templates in terms of difficulty, making it challenging to measure progress against similar tests.
• Current phishing programs vary in terms of template difficulty, with some being easy to detect (low click rates) while others are more challenging (high click rates).
• Practitioners should establish a phishing difficulty rubric and grade each template prior to sending. Results should be compared against similarly difficult tests.
• Risk Distribution. Not average Rates:
• Programs should determine what qualifies as low, medium, and high-risk phishing behaviors for the organization.
• Next, determine what percentage of employees fall into each category.
• Work to remediate the high and medium categories, while retaining good behavior in low-risk individuals.

If your organization must benchmark against a single ‘click rate’, and it will never get to 0%, how do you determine what is an acceptable floor?  What is a “good” click rate? There are a few options.

• Option 1: Vendor benchmarking.  The most popular option - but buyer beware! Understand how the report was created and what data sets were used. What phishing difficulties were used? What maturity of companies were benchmarked?
• Option 2: Metrics for your industry.  The Verizon Data Breach Report highlights click rates per industry. Use this annual report to compare yourself with peers.
• Option 3: Compare your progress over time. Establish an average click rate for easy tests. Once it gets sub-10%, increase difficulty of the tests and repeat training/interventions until click rates go down once again.

How much is enough for these phishing programs? How often should tests be run?

Masha: Enough is a function of the goals of phishing program. Given that 0% is not possible, here are best practice suggestions:

• Run enough phishing tests to figure out which risk grouping (High, Med, Low) an employee fits in. Run appropriate interventions for employees in that group.
• Run tests that are benchmarked against your previous test to track trends. You are looking to reduce the percentage of the population in your high and medium risk groups.
  

Research data indicates that after seven phishing tests, there's a plateau in risk reduction. This means that conducting more than seven tests might not provide significant incremental value in terms of improving employee behavior. After about a year of simulations or 7-11 phishing tests, results stabilize (we see about a 5% click through rate ongoing).

It's not just about how many tests there are but also about considering the types of interventions. Beyond standard tests, strategies like phishing-resistant MFA, password manager use, and reducing MFA timeout can be more effective in managing and moving high risk employees to a lower risk group.

How IANS Faculty Expertise Benefits You

Cybersecurity today is faced with a myriad of complex challenges, and the IANS Faculty will help you make informed security decisions that protect your business.

Whether you need guidance on program direction, a tie-breaking opinion on architectural considerations, tool implementation advice, a comprehensive security assessment, a penetration test, or mapping controls to a regulatory standard, we are a trusted partner to provide the best decision support for your security team.

Our mission is to help you make better, faster decisions, grow professionally, and stay compliant. Get in touch with IANS to learn more about how we can help move your security program forward.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.